Next Page >>
web proxy
I. BACKGROUND
Sun Microsystems Inc's Java System is a collection of server
applications bundled together. One such server application included is
the Web Proxy Server. This software implements proxy services including
HTTP and SOCKSv5.
For more information, visit
http://www.sun.com/software/products/web_proxy/home_web_proxy.xml.
Background
==========
Sarg (Squid Analysis Report Generator) is a tool that provides many
informations about the Squid web proxy server users activities: time,
sites, traffic, etc.
Affected packages
=================
By Michael Brooks
Vulnerability type: Multiple Remote System commands execution.
Software: Anon Proxy Server
Home page:http://sourceforge.net/projects/anonproxyserver/
Affects version: 0.100
http://www.dlink.de/?go=gNTyP9CgrdFOIC4AStFCF834mptYKO9ZTdvhLPG3yV3oV492gqltbNlwaaFp6DQoHDrpxC5H+40AAdvl
II. DESCRIPTION
Marc Ruef at scip AG found a possibility to evade url filters of the web
proxy to prevent access to web sites.
An attacker might add a very long string to the url to access web
resources althought their access is forbidden.
This problem could be verified in all firmware versions up to v1.12.
10.10.10.0 255.255.255.0" inside is present in the configuration, then
only crafted HTTPS requests coming from the 10.10.10.0/24 network may
represent an issue for the device.
No other HTTP(s) services are known to be affected, such as HTTP
Inspection, HTTP/HTTPS Proxy Server, and HTTP redirect.
To confirm if the HTTPS server is enabled, log in to the FWSM and issue
the CLI command "show running-config | include http". If the output
contains both "http server enable" and "http <source IP> <address mask>
<source interface>", then the device has a vulnerable configuration. The
[6] Proof-of-concept exploitation tool for the ABO2 exercise (compiled
with Borland BCC32).
http://corelabs.coresecurity.com/index.php?module=Wiki&action=attachment&type=advisory&page=CORE-2009-0803&file=vp_abo2_launcher.c
[7] Multiple security vulnerabilities in the HTTP TRACE, WebDAV and
Digest Authentication Methods in the Sun Java System Web Server and Sun
Java System Web Proxy Server.
http://sunsolve.sun.com/search/document.do?assetkey=1-66-275850-1
[8] Proof-of-concept exploitation tool for the Java System Webserver
buffer overflow when running on a Virtual PC guest.
http://corelabs.coresecurity.com/index.php?module=Wiki&action=attachment&type=advisory&page=CORE-2009-0803&file=sunjavawebserver-webdav-vpc-poc.zip
- Kaspersky Business Space Security
- Kaspersky Work Space Security
- Kaspersky Enterprise Space Security
- Kaspersky Targeted Security
- Kaspersky® Anti-Virus for Microsoft ISA Server
- Kaspersky® Anti-Virus for Proxy Server
- Kaspersky® Anti-Virus for Check Point Firewall-1
- Kaspersky® Anti-Virus for Windows Server
- Kaspersky® Anti-Virus for Windows Server Enterprise Edition
- Kaspersky® Anti-Virus for Novell NetWare
- Kaspersky® Anti-Virus for Linux File Server
Problem type : remote
Debian-specific: no
Debian bug : 639755
CVE IDs : CVE-2011-3205
Ben Hawkes discovered that squid3, a full featured Web Proxy cache
(HTTP proxy), is vulnerable to a buffer overflow when processing gopher
server replies. An attacker can exploit this flaw by connecting to a
gopher server that returns lines longer than 4096 bytes. This may result
in denial of service conditions (daemon crash) or the possibly the
execution of arbitrary code with rights of the squid daemon.
BACKGROUND
The Hewlett-Packard Company thanks an anonymous researcher working with TippingPoint (www.tippingpoint.com) and the Zero Day Initiative (www.zerodayinitiative.com) for reporting this to security-alert@hp.com.
Note: The httpd.tkd module is used by several OpenView Configuration Management (CM) and OpenView Client Configuration Management (CCM) Infrastructure components. These components include OS Manager, Policy Server, Portal, Patch Manager, Proxy Server, Distributed Configuration Server and Multicast Server. There may be more than one httpd.tkd module on a system. Each must be replaced. Please refer to the patch documentation for further information.
Note: The following is for use by the HP-UX Software Assistant. Only the HP-UX versions are listed
AFFECTED VERSIONS
======================================================================
Anon Proxy Server <= 0.102 remote buffer overflow
======================================================================
Author: L4teral <l4teral [4t] gmail com>
Impact: remote buffer overflow
Status: patch available
------------------------------
3proxy ( http://3proxy.ru/ ) is multi-platform (Windows, Linux, Unix)
multi-protocol proxy server with abilities to mange traffic flows and
bandwidths, convert requests between different proxy types,
authenticate, authorize, control, limit and account users access and
more.
3proxy 0.5.3j version was released, to address double free()
vulnerability in FTP proxy module (ftppr) reported by Venustech AD-LAB
(CVE-2007-5622). Vulnerable 3proxy versions are 0.5 - 0.5.3i. Current
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2009-0478
Joshua Morin, Mikko Varpiola and Jukka Taimisto discovered an assertion
error in squid3, a full featured Web Proxy cache, which could lead to
a denial of service attack.
For the stable distribution (lenny), this problem has been fixed in
version 3.0.STABLE8-3, which was already included in the lenny release.
for port 80. But the method of converting Host to IP still works.
Squid do a better job than McAfee Web Gateway.
But it is still possible to access any site with SSL enabled, like
GMail, Facebook and Youtube(known sites that are filtered in most
companies).
Another possible attack is to find a web proxy in the internet that
allows SSL connection(there are several of them in Google!). This way,
the attacker will access the normal sites (port 80) through this web
proxy and the web proxy through Squid.
McAfee Web Gateway blocks several of this web proxies in regular
configuration. But the appliance is vulnerable to the attacks
Problem type : remote
Debian-specific: no
CVE Id : CVE-2010-3072
Debian Bug : 596086
Phil Oester discovered that squid3, a fully featured Web Proxy cache, is
prone to a denial of service attack via a specially crafted request that
includes empty strings.
For the stable distribution (lenny), this problem has been fixed in
Dear lee.e.rian@census.gov,
Why do you think you can't do it with SNMP? An examples are settings DNS
server option via DHCP (or DNS domain name for proxy server
autodiscovery protocol) or even configuring a VPN tunnel for all
traffic. I'm not sure about Tsunami, for Orinoco these settings are
read/write:
http://support.ipmonitor.com/mibs/ORINOCO-MIB/oids.aspx
====================================================================================
Vendor description:
---------------
Perdition is a fully featured POP3 and IMAP4 proxy server. It is able to
handle both SSL and non-SSL connections and redirect users to a
real-server based on a database lookup.
Vulnerability overview:
// Use a proxy ?
if( $prh )
{
// host:ip
$web->proxy( $prh );
// Authentication
if( $pra )
$web->proxyauth( $pra );
}
The FTP proxy used in Apple's Airport Express, Airport Extreme, Time Capsule and possibly elsewhere doesn't check the client provided address and port given by the FTP PORT command against the IP address of the connecting client, or against the use of privileged ports. (The FTP PORT command is used by a FTP client to tell an FTP server which address and data port to initiate the data connection on.) The FTP proxy is used to provide assistance to clients operating in NAT environments served by the Apple products. FTP servers running behind a NAT with this assistance can have addresses in the command channel rewritten for them so that external clients can reach them when operating in passive mode. The ALG operates as a proxy server, assuming responsibility for connections to the FTP server, and must therefore also handle and modify rewriting of the PORT command. It looks like it might be ftp-proxy from PF.
The effect of this problem is to allow anybody with access to the FTP port forwarded on the exterior side of an Apple Airport product that offers NAT to internal clients, which for a publicly-accessible FTP server is the big bad world, to induce an FTP server operating behind a NAT to send data to arbitrary addresses and ports. This is true even if the FTP server is configured to operate more securely, since it sees connections from the NAT's exterior interface, not the connecting client. This is useful for bouncing anonymous port scans off the victim NAT, or if data is available or can be written to and then read from the FTP server, potentially for anonymous attacks, spam, news floods, and other such badness. Any trust relationship and/or security implied or assumed by a NAT is also gone, since the PORT command can also specify private addresses, inside the NAT, for victimisation. Best of all, the gateway itself makes no log entry concerning FTP connections that have been run through the proxy.
Workarounds: do not use FTP; do not trigger the use of the ALG (FTP proxy) by explicitly using ports other than 21 on the inbound port mapping. If you can't do those things, you can avoid the worst effects of this attack by disabling FTP uploads that can later be downloaded by anonymous users.
Apple likes to keep secrets for the protection of its customers. Since the reasonable release of this advisory removes that protection, confidential information vouchsafed to me can be safely disclosed with no ill effects. Apple has a fix, and according to its last seemingly automatic template message, they are still testing it and do not know precisely when it will be released. This is confidential information. DO NOT DISCLOSE!
Advisory history:
Background
==========
nginx is a robust, small and high performance HTTP and reverse proxy
server.
Affected packages
=================
-------------------------------------------------------------------
======================================================================
5) Solution
Filter malicious characters or character sequences using e.g. a
web proxy.
======================================================================
6) Time Table
07/01/2008 - Vendor notified.
could exploit this to perform script injection attacks using XBL bindings.
(CVE-2009-1308)
Shuo Chen, Ziqing Mao, Yi-Min Wang, and Ming Zhang discovered that
Thunderbird did not properly handle error responses when connecting to a
proxy server. If a user had JavaScript enabled while using Thunderbird to
view websites and a remote attacker were able to perform a
man-in-the-middle attack, this flaw could be exploited to view sensitive
information. (CVE-2009-1836)
It was discovered that Thunderbird could be made to run scripts with
could include some second order vulnerabilities - a severe attack
scenario might be possible.
V. DETECTION
Detection of web based attacks requires a specialized web proxy and/or
intrusion detection system. Patterns for such a detection are available
and easy to implement. Usually the mathematical or logical symbols for
less-than (<) and greater-than (>) are required to propose a HTML tag.
In some cases single (') or double quotes (") are required to inject the
code in a given HTML statement. Some implementation of security systems
allocated dynamically.
So Probability of this being the reason: Very Low
2. AT&T is using a proxy caching server and the authentication cookies
used by Facebook was stored on the proxy server.
If a proxy server was being used by AT&T then when a request went out to
Facebook it would check for a valid session using the server’s IP
address and then check for an authentication cookie on that server. If
one existed the user would then be authenticated even though this time
WPAD (Web Proxy Auto Discovery) is a method used by web clients to automatically
locate a browser configuration file used to connect through proxy.
Successful attack on WPAD guarantees attackers full access
on user data sent to Internet which could allow stealing critical data like passwords or
credit card numbers. WPAD potential danger depends on two factors: default
configuration and weak awareness among users.
In this article we discuss WPAD architecture and its many functioning principles in home
Edit a normal access log and set the request method to an overly long
string.
Edit a normal useragent log and set the useragent field to an overly
long string or send a request to the Squid proxy server passing an
overly long string as useragent in the HTTP header.
---------
Solution:
Interesting (and serendipitous, at that <g>).
ISA Server 2004+ allows you to configure "allowed / denied methods" in any rule for which the web proxy is involved; effectively nullifying this attack.
..of course, this requires the web devs to communicate the minimum required methods for their site - something I've rarely seen expressed with any real authority.
Jim
-----Original Message-----
From: Arshan Dabirsiaghi [mailto:arshan.dabirsiaghi@aspectsecurity.com]
Proof of concept:
-----------------
This vulnerability can be exploited with a web browser and plugins / web
proxy.
Vendor contact timeline:
------------------------
Problem type : remote
Debian-specific: no
CVE ID : CVE-2009-2629
Chris Ries discovered that nginx, a high-performance HTTP server, reverse
proxy and IMAP/POP3 proxy server, is vulnerable to a buffer underflow when
processing certain HTTP requests. An attacker can use this to execute
arbitrary code with the rights of the worker process (www-data on Debian)
or possibly perform denial of service attacks by repeatedly crashing
worker processes via a specially crafted URL in an HTTP request.
Where: Remote
======================================================================
3) Vendor's Description of Software
"Ziproxy is forwarding, non-caching, compressing HTTP proxy server.
Basically it squeezes images by converting them to lower quality JPEGs
or JPEG 2000 and compresses (gzip) HTML and other text-like data.".
Product Link:
http://ziproxy.sourceforge.net/
hpuxws22APCH32.MOD_JK2
hpuxws22APCH32.MOD_PERL
hpuxws22APCH32.MOD_PERL2
hpuxws22APCH32.PHP
hpuxws22APCH32.PHP2
hpuxws22APCH32.WEBPROXY
hpuxws22APCH32.WEBPROXY2
hpuxws22TOMCAT.TOMCAT
action: install revision B.2.2.8.04 or subsequent
URL: http://software.hp.com
Next Page>>
|
